Smartphones, devices spark IT security "mobile melee"

Ellen Messmer |
Feb. 28, 2011

While devices such as the iPhone, iPad, Blackberry and Android are in most cases welcomed into the corporate world, there's uncertainty about how to fit them into enterprise IT security practices that have been concerned so long by Microsoft Windows.

FRAMINGHAM, 28 FEBRUARY 2011 - While devices such as the iPhone, iPad, Blackberry and Android are in most cases welcomed into the corporate world, there's uncertainty about how to fit them into enterprise IT security practices that have been concerned so long by MicrosoftWindows.

"We're excited about enabling our financial advisers to use [smartphones] in lieu of a traditional laptop," says Pat Patterson, enterprise information security architect at Raymond James (RJF) Financial, where employees are clamoring to use smartphone and tablet devices they own as part of their job. But excitement was tempered when the financial services firm, which wants to be able to exert management and security controls over iPhones, for instance, found the software agent it used for that purpose was so cumbersome and had the effect of slowing device use, that employees were complaining that it should be removed.

While it's still the early days of smartphone security, Raymond James has not found an agent-based approach yet that isn't cumbersome for its user base.

"A lot of the early forays into mobile devices have been agent-based," says Patterson, who preferred not to name some of the software he's tried on smartphones. At this point, he says he's looking at trying something totally new, Sophos Mobile Control, that Sophos is introducing later this year as an agentless approach to enforce some basic security controls such as password length, device lock and remote wipe.

Raymond James would like to open the doors to the Android device, especially since the version Android 2.2 platform introduced last year appears more security-friendly for the enterprise.

"My goal is to be a business-enabler," Patterson says. "We're excited about the potential this has. The problem is, can we meet our own security requirements?"

The debate about the pros and cons of an agent or agentless approach to the new breed of smartphones and tablets will likely grow over the coming year.

There needs to be at least a "mini-agent," as Trend Micro CEO and co-founder Eva Chen called it, on the device to exert security controls. Without some kind of agent, "you can't do it," she firmly says.

Patch management for smartphones and tablets remains problematic — even for experts in patch management at security firms which traditionally focused on the apparently unending Patch Tuesdays of Microsoft (MSFT) Windows.

Shavlik Technologies is letting its employees bring in the myriad iPhones, Androids and iPads to use at work, says Mark Shavlik, CEO of the firm. But Shavlik execs acknowledge the company, though it has expertise in Windows-based patch management, as of yet has no way to approach doing the same job for the iPads, iPhone and Androids that have come in the door.